<?php 
  ## LIGHT security against sql injection mainly.
  ## if someone wants in, this has plenty of other security holes.
  if(!isset($_SESSION['evalanswer'])) { 
    session_start(); # start a new session
  }
  $checkans = "screendoor12";
  $database = "security";
 if($_SESSION['evalanswer'] != $checkans) {
  include("php/dbconnect.php");  
  $username = mysql_real_escape_string($_POST['username']);
  $password = mysql_real_escape_string($_POST['password']) . "SALTDONOTCHANGEEVER";
  $query = "SELECT db_id, first_name, last_name, username FROM users WHERE username = '$username' AND password = MD5('$password')";
  $result = mysql_query($query); 
  $row = mysql_fetch_object($result);
  if($row != NULL) { 
    $_SESSION['user_id'] = $row->db_id;
    $_SESSION['first_name'] = $row->first_name;
    $_SESSION['last_name'] = $row->last_name;
    $_SESSION['username'] = $row->username;
    $_SESSION['evalanswer'] = $checkans;
    $answer = $checkans;
  } else {
    $_SESSION['evalanswer'] = NULL;
  }
  mysql_close();
 } else { $answer = $checkans; }
      #echo $answer . " is answer<br>\n";
      if($answer != $checkans) {
        echo ('
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
 "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US">
  <head>
    <title>Welcome.</title>
    <meta http-equiv="Content-Type" content ="text/html; charset=utf-8">
    <link rel="stylesheet" href="authenticatejw.css" type="text/css">
');
include('php/jasonweirather.php');
echo('
  </head>
  <body>
    <div id="input_form">
     <div id = "challenge_response">
      <div id="challenge">Please log-in.
      <form action="'.$self.'" method="post">
        username: <input type="text" name="username" class="input_box"><br>
        password: <input type="password" name="password" class="input_box"><br>
        <input type="submit" value="Submit"/>
      </form>
      </div>
     </div>
    </div>
  </body>
</html>
        ');
        exit;
      } 
    ?>

